rpms/clevis
5
0
Fork 0
Code Issues Pull Requests Releases Activity
e9acb551d3
clevis/clevis.spec
Sergio Correia e9acb551d3 Handle case where we try to use a partially used luksmeta slot 
In some situations, especially with older versions of clevis, we can end
up with a partially used luksmeta slot.

We can identify such slots because they will be marked as inactive, yet
they will contain the clevis UUID, "cb6e8904-81ff-40da-a84a-07ab9ab5715e".

When this situation happens, we have cryptsetup and luksmeta slots "out
of sync", and since we currently have cryptsetup choose the slot, we may
end up trying to use such a partially used slot, which in turn will fail
because luksmeta will not be able to save data to it.

We handle this case by wiping the partially used slot, if we identify
the situation will arise.

Tests also added to verify this case is handled properly.

Fixes: #70
2019-12-19 09:43:27 -03:00

267 lines
8.6 KiB
RPMSpec
Raw Blame History

%global _hardened_build 1
%global _default_patch_fuzz 2
Name: clevis
Version: 11
Release: 11%{?dist}
Summary: Automated decryption framework
License: GPLv3+
URL: https://github.com/latchset/%{name}
Source0: https://github.com/latchset/%{name}/releases/download/v%{version}/%{name}-%{version}.tar.xz
Patch0: Delete-remaining-references-to-the-removed-http-pin.patch
Patch1: Install-cryptsetup-and-tpm2_pcrlist-in-the-initramfs.patch
Patch2: Add-device-TCTI-library-to-the-initramfs.patch
# Support for tpm2-tools 4.0, backported from the following pull-request:
# https://github.com/latchset/clevis/pull/114
Patch4: clevis-encrypt-tpm2-fix-TPM-object-attributes.patch
Patch5: clevis-pin-tpm2-module-setup.sh-test-for-required-bi.patch
Patch6: pins-tpm2-add-support-for-tpm2-tools-4.X.patch
# Backport of some fixes and also adding tests in the build.
Patch7: 0001-Backport-upstream-tests-and-fixes.patch
Patch8: 0002-Disabling-LUKS2-tests-for-now.patch
Patch9: 0003-Handle-case-where-we-try-to-use-a-partially-used-luk.patch
BuildRequires: gcc
BuildRequires: meson
BuildRequires: asciidoc
BuildRequires: ninja-build
BuildRequires: bash-completion
BuildRequires: libjose-devel >= 8
BuildRequires: libluksmeta-devel >= 8
BuildRequires: audit-libs-devel
BuildRequires: libudisks2-devel
BuildRequires: openssl-devel
BuildRequires: tpm2-tools >= 3.0.0
BuildRequires: desktop-file-utils
BuildRequires: pkgconfig
BuildRequires: systemd
BuildRequires: dracut
BuildRequires: tang >= 6
BuildRequires: curl
BuildRequires: cracklib-dicts
BuildRequires: luksmeta
BuildRequires: openssl
Requires: tpm2-tools >= 3.0.0
Requires: coreutils
Requires: jose >= 8
Requires: curl
Requires(pre): shadow-utils
%description
Clevis is a framework for automated decryption. It allows you to encrypt
data using sophisticated unlocking policies which enable decryption to
occur automatically.
The clevis package provides basic encryption/decryption policy support.
Users can use this directly; but most commonly, it will be used as a
building block for other packages. For example, see the clevis-luks
and clevis-dracut packages for automatic root volume unlocking of LUKSv1
volumes during early boot.
%package luks
Summary: LUKSv1 integration for clevis
Requires: %{name}%{?_isa} = %{version}-%{release}
Requires: cryptsetup
Requires: luksmeta >= 8
%description luks
LUKSv1 integration for clevis. This package allows you to bind a LUKSv1
volume to a clevis unlocking policy. For automated unlocking, an unlocker
will also be required. See, for example, clevis-dracut and clevis-udisks2.
%package systemd
Summary: systemd integration for clevis
Requires: %{name}-luks%{?_isa} = %{version}-%{release}
%if 0%{?fedora} > 27
Requires: systemd%{?_isa} >= 235-3
%else
%if 0%{?fedora} == 27
Requires: systemd%{?_isa} >= 234-9
%else
%if 0%{?fedora} == 26
Requires: systemd%{?_isa} >= 233-7
%else
Requires: systemd%{?_isa} >= 236
%endif
%endif
%endif
Requires: nc
%description systemd
Automatically unlocks LUKSv1 _netdev block devices from /etc/crypttab.
%package dracut
Summary: Dracut integration for clevis
Requires: %{name}-systemd%{?_isa} = %{version}-%{release}
Requires: dracut-network
%description dracut
Automatically unlocks LUKSv1 block devices in early boot.
%package udisks2
Summary: UDisks2/Storaged integration for clevis
Requires: %{name}-luks%{?_isa} = %{version}-%{release}
%description udisks2
Automatically unlocks LUKSv1 block devices in desktop environments that
use UDisks2 or storaged (like GNOME).
%prep
%autosetup -p1
%build
%meson -Duser=clevis -Dgroup=clevis
%meson_build
%install
%meson_install
%check
desktop-file-validate \
%{buildroot}/%{_sysconfdir}/xdg/autostart/%{name}-luks-udisks2.desktop
%meson_test
%pre
getent group %{name} >/dev/null || groupadd -r %{name}
getent passwd %{name} >/dev/null || \
useradd -r -g %{name} -d %{_localstatedir}/cache/%{name} -s /sbin/nologin \
-c "Clevis Decryption Framework unprivileged user" %{name}
exit 0
%files
%license COPYING
%{_datadir}/bash-completion/
%{_bindir}/%{name}-decrypt-tang
%{_bindir}/%{name}-decrypt-tpm2
%{_bindir}/%{name}-decrypt-sss
%{_bindir}/%{name}-decrypt
%{_bindir}/%{name}-encrypt-tang
%{_bindir}/%{name}-encrypt-tpm2
%{_bindir}/%{name}-encrypt-sss
%{_bindir}/%{name}
%{_mandir}/man1/%{name}-encrypt-tang.1*
%{_mandir}/man1/%{name}-encrypt-tpm2.1*
%{_mandir}/man1/%{name}-encrypt-sss.1*
%{_mandir}/man1/%{name}-decrypt.1*
%{_mandir}/man1/%{name}.1*
%files luks
%{_mandir}/man7/%{name}-luks-unlockers.7*
%{_mandir}/man1/%{name}-luks-unlock.1*
%{_mandir}/man1/%{name}-luks-unbind.1*
%{_mandir}/man1/%{name}-luks-bind.1*
%{_bindir}/%{name}-luks-unlock
%{_bindir}/%{name}-luks-unbind
%{_bindir}/%{name}-luks-bind
%files systemd
%{_libexecdir}/%{name}-luks-askpass
%{_unitdir}/%{name}-luks-askpass.path
%{_unitdir}/%{name}-luks-askpass.service
%files dracut
%{_prefix}/lib/dracut/modules.d/60%{name}
%files udisks2
%{_sysconfdir}/xdg/autostart/%{name}-luks-udisks2.desktop
%attr(4755, root, root) %{_libexecdir}/%{name}-luks-udisks2
%changelog
* Thu Dec 19 2019 Sergio Correia <scorreia@redhat.com> - 11-11
- Backport upstream PR#70 - Handle case where we try to use a partially
used luksmeta slot
Resolves: rhbz#1672371
* Thu Dec 05 2019 Sergio Correia <scorreia@redhat.com> - 11-10
- Disable LUKS2 tests for now, since they fail randomly in Koji
builders, killing the build
* Wed Dec 04 2019 Sergio Correia <scorreia@redhat.com> - 11-9
- Backport of upstream patches and the following fixes:
- Rework the logic for reading the existing key
- fix for different output from 'luksAddKey' command w/cryptsetup v2.0.2 (
- pins/tang: check that key derivation key is available
* Wed Oct 30 2019 Peter Robinson <pbrobinson@fedoraproject.org> 11-8
- Drop need network patch
* Fri Sep 06 2019 Javier Martinez Canillas <javierm@redhat.com> - 11-7
- Add support for tpm2-tools 4.0
* Wed Jul 24 2019 Fedora Release Engineering <releng@fedoraproject.org> - 11-6
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
* Thu Jan 31 2019 Fedora Release Engineering <releng@fedoraproject.org> - 11-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
* Thu Dec 6 2018 Peter Robinson <pbrobinson@fedoraproject.org> 11-4
- Update patch for work around
* Thu Dec 6 2018 Peter Robinson <pbrobinson@fedoraproject.org> 11-3
- Work around network requirement for early boot
* Fri Nov 09 2018 Javier Martinez Canillas <javierm@redhat.com> - 11-2
- Delete remaining references to the removed http pin
- Install cryptsetup and tpm2_pcrlist in the initramfs
- Add device TCTI library to the initramfs
Resolves: rhbz#1644876
* Tue Aug 14 2018 Nathaniel McCallum <npmccallum@redhat.com> - 11-1
- Update to v11
* Thu Jul 12 2018 Fedora Release Engineering <releng@fedoraproject.org> - 10-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
* Wed Mar 21 2018 Nathaniel McCallum <npmccallum@redhat.com> - 10-1
- Update to v10
* Tue Feb 13 2018 Nathaniel McCallum <npmccallum@redhat.com> - 9-1
- Update to v9
* Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 8-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
* Mon Nov 13 2017 Nathaniel McCallum <npmccallum@redhat.com> - 8-1
- Update to v8
* Wed Nov 08 2017 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 7-2
- Rebuild for cryptsetup-2.0.0
* Fri Oct 27 2017 Nathaniel McCallum <npmccallum@redhat.com> - 7-1
- Update to v7
* Wed Aug 02 2017 Fedora Release Engineering <releng@fedoraproject.org> - 6-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
* Wed Jul 26 2017 Fedora Release Engineering <releng@fedoraproject.org> - 6-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
* Tue Jun 27 2017 Nathaniel McCallum <npmccallum@redhat.com> - 6-1
- New upstream release
- Specify unprivileged user/group during configuration
- Move clevis user/group creation to base clevis package
* Mon Jun 26 2017 Nathaniel McCallum <npmccallum@redhat.com> - 5-1
- New upstream release
- Run clevis decryption from udisks2 under an unprivileged user
* Wed Jun 14 2017 Nathaniel McCallum <npmccallum@redhat.com> - 4-1
- New upstream release
* Wed Jun 14 2017 Nathaniel McCallum <npmccallum@redhat.com> - 3-1
- New upstream release
* Fri Feb 10 2017 Fedora Release Engineering <releng@fedoraproject.org> - 2-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
* Fri Nov 18 2016 Nathaniel McCallum <npmccallum@redhat.com> - 2-1
- New upstream release
* Mon Nov 14 2016 Nathaniel McCallum <npmccallum@redhat.com> - 1-1
- First release
Reference in New Issue View Git Blame Copy Permalink